Grid Security News is a curated summary of recent key stories related to the Electric Grid, produced weekly by Protect Our Power ( Headlines appear in the first section, followed by complete summaries.

For a complete transcript of paywalled stories, please REPLY to this email and specify the story you would like to view in full.

For your email security, we no longer provide embedded hyperlinks in our feed. Instead, we provide unembedded links that you may copy and paste into your browser to view the entire article. We instituted this change to ensure your cyber safety. We hope this causes no inconvenience, but in today's environment, we must all be vigilant.

Note: Email on MacOS (AppleMail, iPhones) will probably reinsert the hyperlink. Only click on hyperlinks from trusted sources!

For daily updates, follow us on Twitter: @gridprotection 

To subscribe to Grid Security News:

Security Week: Microsoft Warns of Boa Web Server Risks After Hackers Target It in Power Grid Attacks

MeriTalk: White House Sets $13B of Funding to Modernize Power Grid

Homeland Security Newswire: Using Blockchain to Increase Electric Grid Resiliency

American City & County: 3 steps to increase the resiliency of the energy infrastructure

Utility Dive: The power grid faced heat waves, record demand and tight conditions in 2022. What happens next?

The Hill: Sustainability Democrats propose narrow permitting reform effort on electric grid, community involvement

Utility Dive: Offshore oil and gas at risk of potentially catastrophic cyberattack: GAO

Tom Alrich's Blog: Did CISA do their homework?


Security Week: Microsoft Warns of Boa Web Server Risks After Hackers Target It in Power Grid Attacks

Microsoft is warning organizations about the risks associated with the discontinued Boa web server after vulnerabilities affecting the software were apparently exploited by threat actors in an operation aimed at the energy sector.

In 2021, threat intelligence company Recorded Future reported seeing a Chinese threat group targeting operational assets within India’s power grid. In April 2022, the cybersecurity firm published a new report describing attacks launched by a different Chinese state-sponsored threat actor against organizations in India’s power sector.

Targets included several State Load Despatch Centres (SLDCs) responsible for carrying out grid control and electricity dispatch operations. These SLDCs maintain grid frequency and stability through access to supervisory control and data acquisition (SCADA) systems.

When it released its report in April, Recorded Future shared some indicators of compromise (IoCs) to help organizations detect potential intrusions.

Microsoft has analyzed the IP addresses included in those IoCs and determined that they hosted Boa, an open source web server designed for embedded applications. The problem is that Boa has been discontinued since 2005, but it’s still present in many IoT devices.

“Microsoft assesses that Boa servers were running on the IP addresses on the list of IOCs published by Recorded Future at the time of the report’s release and that the electrical grid attack targeted exposed IoT devices running Boa,” Microsoft said in a blog post published on Tuesday.

An analysis conducted by the tech giant showed that some of the IP addresses were associated with vulnerable IoT devices, such as routers, housed by organizations in critical industries.

(Nov. 23)

MeriTalk: White House Sets $13B of Funding to Modernize Power Grid

The Biden-Harris administration is directing $13 billion of funding to the Department of Energy (DoE) for new financing opportunities to support expansion and modernization of the nation’s electric grid.

The funding – authorized by the Bipartisan Infrastructure Law approved by Congress in November 2021 – represents the largest single direct Federal investment in critical transmission and distribution infrastructure, and one of the first down payments on an over $20 billion investment under the administration’s Building a Better Grid Initiative.

“We are moving swiftly to deliver cleaner, cheaper energy to every American community by building a modern and reliable electric grid,” Energy Secretary Jennifer M. Granholm, said in a press release.

The Building a Better Grid Initiative was launched at the beginning of this year to accelerate the nationwide development of new and upgraded high-capacity electric transmission lines and create a more resilient electric grid. The $13 billion of funding will be directed to three programs under the initiative: the Grid Resilience Utility and Industry Grants; Smart Grid Grants; and the Grid Innovation Program.

Specifically, the Grid Resilience Utility and Industry Grants fund comprehensive transmission and distribution technology solutions that will mitigate multiple hazards across a region or within a community.

“With nearly 70% of the nation’s grid more than 25 years old, the President’s agenda is making historic investments that will strengthen the nation’s transmission grid to drive down energy costs, generate good-paying jobs, and help keep the lights on during extreme weather events,” Granholm said.

Investments in transmission infrastructure can help protect the grid against supply disruptions due to physical and cyber-attacks or climate-induced extreme weather, minimize the impact of supply disruptions when they happen, and restore electricity more quickly when outages do occur.

(Nov. 22)

Homeland Security Newswire: Using Blockchain to Increase Electric Grid Resiliency

Blockchain is best known for securing digital currency payments, but researchers are using it to track a different kind of exchange: It’s the first time blockchain has ever been used to validate communication among devices on the electric grid.

Although blockchain is best known for securing digital currency payments, researchers at the Department of Energy’s Oak Ridge National Laboratoryare using it to track a different kind of exchange: It’s the first time blockchain has ever been used to validate communication among devices on the electric grid.

The project is part of the ORNL-led Darknet initiative, funded by the DOE Office of Electricity, to secure the nation’s electricity infrastructure by shifting its communications to increasingly secure methods.

Cyber risks have increased with two-way communication between grid power electronics equipment and new edge devices ranging from solar panels to electric car chargers and intelligent home electronics. By providing a trust framework for communication among electrical devices, an ORNL research team led by Raymond Borges Hink is increasing the resilience of the electric grid. The team developed a framework to detect unusual activity, including data manipulation, spoofing and illicit changes to device settings. These activities could trigger cascading power outages as breakers are tripped by protection devices.

“This framework gives us a totally new capability to rapidly respond to anomalies,” Borges Hink said. “In the long run, we could more quickly identify an unauthorized system change, find its source and provide more trustworthy failure analysis. The goal is to limit the damage caused by a cyberattack or equipment failure.”

The approach uses tamper-resistant blockchain to spread configuration and operational data redundantly across multiple servers. The data and equipment settings are constantly verified against a statistical baseline of normal voltage, frequency, breaker status and power quality. Equipment settings are collected at frequent intervals and compared to the last good configuration saved in the blockchain. This allows rapid recognition of when and how settings were changed, whether those changes were authorized, and what caused them.

“Our system helps determine in near real time whether a fault was triggered by a cyberattack or induced by natural events,” Borges Hink said. “This is the first implementation of blockchain enabling this kind of data validation between a substation, a control center and metering infrastructure.”

(Nov. 28)

American City & County: 3 steps to increase the resiliency of the energy infrastructure

Picture this: A hurricane strikes a coastal town and destroys the power distribution network. A hospital generator fails, plunging the building into total darkness. Medical equipment, elevators and lighting are all non-functional. There’s no air conditioning nor natural ventilation because the windows are sealed shut, resulting in overwhelming heat and humidity. The water pumps grind to a halt, cutting off precious water access.

It’s a nightmare scenario, right? Sadly, that’s exactly what happened to Memorial Hospital in New Orleans in the aftermath of Hurricane Katrina in August 2005. It could happen to any number of health care organizations in vulnerable low-laying areas up and down the eastern seaboard, especially as global warming intensifies over the coming years.

Keeping access to our energy infrastructure safe and secure is always a pressing priority, whether skies are stormy or serene. Energy infrastructure systems are often referred to as lifelines because so many other services (such as utilities and transportation) depend on the electric grid to function.

So, what steps can we collectively take to best protect our critical energy infrastructure?

1. Perform energy audits

For existing infrastructure, it’s better to begin with efficiency improvements since they’re cheaper and offer better ROI than embarking on new capital projects such as installing wind turbines. Some of the modifications can include evaluating the electric distribution system to reduce losses and better quantify usage.

Additionally, you can identify losses from idle and over-sized transformers, detect and reduce unmetered loads, or even quantify and report service station losses. Similarly, you can perform audits on large public and commercial buildings and implement upgrades such as smart meters.

2. Invest in cybersecurity

Today, natural calamities such as storms and hurricanes aren’t the only risks to your energy systems. As investments in energy resources such as solar panels and battery backups increase, there’s the potential of serious cyber vulnerabilities.

Again, traditional energy infrastructure is increasingly getting connected to modern, digital technologies and networks. And while these innovations make the energy system smarter and enhance the consumer experience, this digitization poses significant risks such as attacks that can compromise the security of the service. The industry consensus is that our nation’s energy infrastructure is woefully under protected when it comes to cybersecurity, so every investment we can make to shore up our digital defenses, the better.

3. Embrace predictive analytics

It’s about relying on advanced analytics to reduce energy costs, forecast future power consumption, and meet customers’ expectations. Predictive analytics help you to efficiently balance between energy supply and energy demand to make sure there are no power outages during peak hours. With the right tools and strategies, you can generate valuable insights from the enormous data being produced by smart meters, automated fault switches and customer interactions.

(Nov. 22)

Utility Dive: The power grid faced heat waves, record demand and tight conditions in 2022. What happens next?

All over the country, a changing climate and extreme weather events – whether due to high temperatures, low temperatures or storms and hurricanes – are posing a threat to grid reliability in the U.S.

Power systems across the U.S. faced challenging grid reliability conditions over the past year, but managed to avoid the worst-case scenario of prolonged outages thanks to a combination of policy measures implemented over the last couple of years and luck, experts say. 

All over the country, a changing climate and extreme weather events – whether due to high temperatures, low temperatures or storms and hurricanes – are posing a threat to grid reliability, according to Eric Gimon, senior fellow with Energy Innovation. Weather patterns are changing from what the U.S. historically experienced, and are going to continue to get more extreme, he said, and “what seems unusual today will seem more normal tomorrow. This is a one-way street right now.”

In Texas, the Electric Reliability Council of Texas grid experienced extreme temperatures and peak loads, but has so far avoided widespread blackouts in 2022; California underwent a heat wave in September and despite very tight power supply conditions, also managed to prevent large-scale outages. The Pacific Northwest, meanwhile, experienced high temperatures this year, although not as severe as during the heat wave it underwent in 2021, and also avoided prolonged outages.

Power system stakeholders are grappling with these issues and doing what they can in a relatively short period to prepare the grid for changing weather and demand patterns, according to Arne Olson, senior partner with Energy and Environmental Economics. 

In general, the grid fared better in 2022 than the previous year or two, which experts attribute in part to luck — that is, relatively less challenging weather conditions — as well as a host of measures implemented by grid operators and planners, like mobilizing demand response and bringing online new battery storage in California, which “if they hadn’t done those things we would not have got through that situation without a blackout,” said Olson.

(Nov. 22)

The Hill: Sustainability Democrats propose narrow permitting reform effort on electric grid, community involvement

A group of House Democrats that are part of a sustainability coalition on Monday put forward a narrow proposal on permitting reform amid broader talks on how to reshape the country’s energy approval process. 

The new policy brief released by leaders of the House Sustainable Energy & Environment Coalition (SEEC) narrowly focuses on bolstering the country’s electricity infrastructure and community involvement in energy project assessments. 

“This policy brief breaks down some of the key legislative solutions that Congress should take up when considering reforming our laws to build a clean energy future,” the brief’s introduction reads. 

The permitting reform negotiations are complex as large swaths of Democrats and Republicans would have to be on board on a set of issues where the two parties remain far apart. 

Some of SEEC’s leaders, including co-chair Gerry Connolly (D-Va.) and vice chairs Alan Lowenthal (D-Calif.), and Donald McEachin (D-Va.) were part of a large coalition of Democrats who expressed opposition to Sen. Joe Manchin’s (D-W.Va.) permitting reform push. 

The new pitch from the sustainability coalition promotes legislation that the lawmakers say would give the federal government more power to approve some electric transmission lines, bolster grid resiliency and promote the development of community solar and offshore wind.

It also called for increases to community involvement by requiring the preparation of reports on whether projects will harm community health and establishing environmental justice liaisons for such projects. 

Manchin has been fighting to speed up the approval process for both fossil and renewable energy projects. Backed by Democratic leadership, he recently attempted to pass legislation that included shorter timelines for environmental impact studies and the approval of a pipeline in his home state. 

(Nov. 21)


Utility Dive: Offshore oil and gas at risk of potentially catastrophic cyberattack: GAO

Dive Brief:

  • The nation’s offshore oil and gas industry faces a significant and growing risk of a malicious cyberattack that could result in a catastrophic incident rivaling the deadly Deepwater Horizon incident in 2010, according to a report from the U.S. Government Accountability Office
  • The industry includes about 1,600 offshore oil and gas facilities that are highly dependent on remotely connected operational technology, the report said. Many of these systems rely on aging technology, which lack many of the built-in safeguards that protect facilities against modern cybersecurity risks. 
  • The Department of Interior, which oversees the industry, needs to urgently develop a plan to mitigate such a threat, the report warns. Department officials have been aware of such a risk for years, however multiple attempts to take corrective action have fallen short or failed to get off the ground.

Dive Insight:

The 2021 Colonial Pipeline ransomware attack disrupted much of the nation’s supply of gasoline for nearly a week, causing runs on fuel, temporary price spikes and outages in stations across the Southeast and Mid-Atlantic states. 

Following that incident and the later ransomware attack on meatpacking firm JBS USA, the Biden administration highlighted the risk of cyberattacks or breaches across a core group of 16 critical infrastructure sectors. The offshore oil and gas industry is part of a larger risk to the U.S. energy sector, which has come under scrutiny in part due to Russia’s invasion of Ukraine, which has led to even greater pressure on global oil and gas prices and attacks on energy facilities. 

The Bureau of Safety and Environmental Enforcement at the Interior Department previously launched efforts in 2015 and 2020 to address cybersecurity risks, but failed to take substantive action in both cases, according to the report. 

The BSEE launched another plan earlier this year to address cybersecurity and hired a specialist to lead the effort, but later put that plan on pause to offer more time for the official to get up to speed on the issues, the report stated. 

“Interior officials, specifically the [BSEE] leadership, has been aware of cyberthreats to offshore infrastructure, but have simply not acted on those threats in a sufficient or timely fashion,” Frank Rusco, director of national resources and environment at GAO, said via email.

While Rusco said the agency cannot specifically rank what type of cybersecurity attack poses the biggest risk, he reiterated “environmental and worker safety damages are potentially very large” in light of the multi-billion dollar cost of the Deep Water Horizon disaster. 

(Nov. 18)


Tom Alrich's Blog: Did CISA do their homework?

On November 10, CISA issued a blog post called “TRANSFORMING THE VULNERABILITY MANAGEMENT LANDSCAPE”. It got a lot of attention and widespread approval. It describes three techniques whose implementation will, according to the post, lead to “more efficient, automated, prioritized vulnerability management.” While these should be of interest to both software (and intelligent device) suppliers and end users, the recommendations are aimed primarily at the suppliers – since they need to take the initiative in all three of these areas.

Since the third recommendation, use of the new SSVC vulnerability categorization framework (which, not at all coincidentally, is CVSS spelled backwards) isn’t closely related to the first two, I’ll just focus on those two, although SSVC strikes me as a very good idea.

CISA’s first recommendation is that software suppliers should “Publish machine-readable security advisories based on the Common Security Advisory Framework (CSAF).” CSAF is currently on v2.0, which is also its first versoin. CSAF is the replacement for the Common Vulnerability Reporting Format (CVRF) version 1.2, which has been available since 2017. CVRF was developed and maintained by the CSAF technical committee of OASIS. I don’t know the full story, but at some point the committee presumably decided that the new version they were contemplating was going to be so different from CVRF that they should just name it after the committee. Sounds like a smart move to me. After all, it’s all about branding.

Unfortunately, branding alone isn’t enough when it comes to a machine-readable advisory format. You need two more things. First, you need at least one software tool to create the advisories, for use by suppliers who aren’t intimately familiar with the format. If you spend five minutes looking through the CSAF format, I think you’ll agree that it would take a lot of study for someone with no prior knowledge of, or experience with, CSAF to create an advisory without the help of a tool. Currently, the only available tool is Secvisogram, a CSAF editor (this was also the only available tool when the VEX working group approved CSAF as the VEX format in the spring of 2021). It will count brackets for you and perform similar tasks, but you need a full understanding of the CSAF format in order to use the tool to create a CSAF document.

There are a small number of mostly very large organizations – including Oracle, Cisco and Red Hat – that have announced support for CSAF 2.0. However, I could only find actual CSAF files published by Red Hat (and Red Hat labels the CSAF 2.0 format as “beta”, even though it was finalized and approved more than a year ago). Presumably, those organizations have been able to make the substantial investment of time required to create CSAF advisories (I know that Cisco and Red Hat have been part of the CSAF technical committee for years).

However, CISA’s blog post didn’t limit its recommendations just to large, well-resourced companies. They clearly want all software and device suppliers, large and small, to start issuing CSAF vulnerability advisories. And this is where I see a problem: Expecting every supplier of any size, large or small, to start creating CSAF advisories without having to invest a huge amount of time learning the CSAF format requires a “CSAF for Dummies” tool. I define this as a tool that prompts the user for the information they want to represent in the advisory – the CVE or CVEs in question, the affected products and versions, remediation advice for each affected version (which might include a patch or upgrade, but might also include something else), etc. To use the tool, the user shouldn’t need to understand the details of the format; they should just be required to answer questions about what they want in the advisory.

Currently, no such tool is available for CSAF (one is under development, and evidently has been for a long time); if a supplier wants to create CSAF advisories now, they have to go Full Monty and learn CSAF well enough to be able to use Secvisogram intelligently. And there are clearly a number of required fields – like “product name” (and the related concept of “product tree”) and “branches” – whose meaning is anything but self-evident. Any supplier wishing to create CSAF documents will need to have a good understanding of the huge number of options available for creating these and other fields, as well as understand how versions are represented, which is anything but straightforward.

Second, a machine-readable advisory format, in order to be usable, requires tools that read the format. And here the story is the same: There are no tools that read CSAF documents, even a simple parser tool. There is a parser tool under development, but that’s all. And frankly, a parser tool isn’t going to do end users a lot of good. Since most medium-to-large organizations utilize some tool or tools to manage vulnerabilities on their network (the tool may go under the name “scanner”, “vulnerability management”, “configuration management”, “asset management”, and probably other names as well), just parsing a CSAF file so that it’s readable by ordinary humans doesn’t get the information into their vulnerability management tool, where it’s needed. At the moment, the user is going to have to key the information in by hand, unless they’ve created their own tool to do this.

You probably get the idea: CSAF is a machine-readable vulnerability reporting format, but currently no machine can create or read CSAF documents – which raises the question what “machine readable” means in practice. If CSAF 2.0 had just been recently released, I wouldn’t be too bothered by this fact. Indeed, I wasn’t bothered a year ago that there weren’t any tools for it, since it was then only three months since CSAF 2.0 had been approved (although it had been under development for at least a couple of years).

(Nov. 27)


Jim Gold | Operations Director

O: 212.235.0251 M: 347.968.2912 @gridprotection